48.3.5. Configuring Firefox to use Kerberos for SSO
- In the address bar of Firefox, type
about:configto display the list of current configuration options.
- In the Filter field, type
negotiateto restrict the list of options.
- Double-click the network.negotiate-auth.trusted-uris entry to display the Enter string value dialog box.
- Enter the name of the domain against which you want to authenticate, for example, .example.com.
- Repeat the above procedure for the network.negotiate-auth.delegation-uris entry, using the same domain.
NoteYou can leave this value blank, as it allows Kerberos ticket passing, which is not required.If you do not see these two configuration options listed, your version of Firefox may be too old to support Negotiate authentication, and you should consider upgrading.
Figure 48.6. Configuring Firefox for SSO with Kerberos
kinitto retrieve Kerberos tickets. To display the list of available tickets, type
klist. The following shows an example output from these commands:
kinitPassword for user@EXAMPLE.COM: ~]$
klistTicket cache: FILE:/tmp/krb5cc_10920 Default principal: user@EXAMPLE.COM Valid starting Expires Service principal 10/26/06 23:47:54 10/27/06 09:47:54 krbtgt/USER.COM@USER.COM renew until 10/26/06 23:47:54 Kerberos 4 ticket cache: /tmp/tkt10920 klist: You have no tickets cached
- Close all instances of Firefox.
- Open a command shell, and enter the following commands:
- Restart Firefox from that shell, and visit the website you were unable to authenticate to earlier. Information will be logged to
/tmp/moz.log, and may give a clue to the problem. For example:
-1208550944[90039d0]: entering nsNegotiateAuth::GetNextToken() -1208550944[90039d0]: gss_init_sec_context() failed: Miscellaneous failure No credentials cache foundThis indicates that you do not have Kerberos tickets, and need to run
kinitsuccessfully from your machine but you are unable to authenticate, you might see something like this in the log file:
-1208994096[8d683d8]: entering nsAuthGSSAPI::GetNextToken() -1208994096[8d683d8]: gss_init_sec_context() failed: Miscellaneous failure Server not found in Kerberos database
/etc/krb5.conffile. For example:
.example.com = EXAMPLE.COM example.com = EXAMPLE.COM